Insurance and education should be weapons in fight against cyber-crime

The majority of businesses do not have cyber security insurance, with many not even aware such protection exists – and even those that do have insurance in place may find themselves at a loss if they don’t have the correct cover. The solution may be to mandate more data sharing and raise public awareness, according to speakers at a roundtable organized by software security company Kaspersky Lab.

“The state can encourage the sharing of data. Ideally it should be voluntary, but if there is an absence of sharing, we would like the government to enforce the sharing of data,” said Nick Beecroft, manager, emerging risks & research, Lloyds. “The data should be anonymized. But we all have a shared interest in this. We don’t want the state to dictate the direction of the market, but they can certainly do some things to mandate the core elements.”

Beecroft’s comments reflected evidence of the continuous rise in cyber-attacks, which have continued to increase in pace and sophistication in recent years. Recent cyber-crime incidents include an identity theft attack on Anthem Insurance that exposed 78.8 million records, as well as a 21 million record breach at the US Office of Personnel Management; a 50 million record breach at Turkey’s General Directorate of Population and Citizenship Affairs; and a 20 million record breach at Russia’s Topface. In total, 246 million records were compromised by criminal activity in the first six months of 2015 alone, according to statistics provided by Gemalto.

Although initiatives such as the DTCC’s Soltra have been introduce to provide for sharing of information on threats by financial institutions, so far membership of these initiatives has been voluntary and banks are not legally obliged to take part. The argument in favour of mandating data sharing is that the wider public interest served by sharing information on threats outweighs the interests of conservative financial institutions in keeping their information private.

Other participants pointed to a lack of awareness among senior business executives about the extent to which many businessED are unprepared for a cyber-attack. According to John Hurrell, chief executive of Airmic, the percentage of chief executives in a recent survey who believed they had insurance coverage against cyber risks was 52%. In the same study, the percentage of CFOs and risk officers who thought they were covered was 15-20%, and the percentage who actually had it was 10%. Meanwhile, the insurance market estimate was that insurance coverage had a penetration of just 2% of the market. “The difference between perception and reality is huge,” said Hurrell. That is a problem.”

The idea that more education is needed has been a staple of cyber-security specialists for a long time. That view has not changed – indeed, calls for actions are increasing. “We are not being fed public safety campaigns aimed at the general public,” said David Emm, principal security researcher, Kaspersky Lab. “I remember the road safety adverts about wearing a seatbelt. All of this really rests on public awareness. We’re not seeing the kind of public education in cyber security that we need. Maybe we should.”

Regulators and government enforcement agencies around the globe were also urged to work together more often, a step which is seen by many as a necessary prerequisite to catch and punish the perpetrators of cyber-crime, many of whom carry out their nefarious activities across international borders. “Right now there is very little disincentive to carry out cyber-attacks,” said Beecroft. “We need more global cooperation between organizations such as GCHQ and Interpol and so on to provide that disincentive.”

Emm agreed, adding that there had been some notable wins involving multiple agencies acting in cooperation with each other, including the FBI in the US and others. “These organizations are taking steps to build their expertise and to partner with individuals and companies that do have those skills,” he said.